Comments 0

Document transcript

Ecient and Secure Network Routing AlgorithmsMichael T.GoodrichCenter for Algorithm EngineeringDept.of Computer ScienceJohns Hopkins UniversityBaltimore,MD 21218goodrich@jhu.eduAbstractWe present several algorithms for network routing that are resilient to various attacks on therouters themselves.Our methods for securing routing algorithms are based on a novel\leap-frog"cryptographic signing protocol,which is more ecient than using traditional public-keysignature schemes.1 IntroductionRouting messages in a network is an essential component of Internet communication,as each packetin the Internet must be passed quickly through each network (or autonomous system) that it musttraverse to go from its source to its destination.It should come as no surprise,then,that mostmethods currently deployed in the Internet for routing in a network are designed to forward packetsalong shortest paths.Indeed,current interior routing protocols,such as OSPF,RIP,and IEGP,are based on this premise,as are many exterior routing protocols,such as BGP and EGP (e.g.,see [5,9]).The algorithms that form the basis of these protocols are not secure,however,and have evenbeen compromised by routers that did not follow the respective protocols correctly.Fortunately,all network malfunctions resulting from faulty routers have to date been shown to be the resultof miscongured routers,not malicious attacks.Nevertheless,these failures show the feasibility ofmalicious router attacks,for they demonstrate that compromising a single router can underminethe performance of an entire network.1.1 Security GoalsWe are therefore interested in methods for securing routing algorithms against attacks,independentof whether those attacks are malicious or not.Our desire is to design methods that achieve thefollowing properties: Fault detection.The algorithm should run correctly and,in addition,should detect anycomputational steps that would compromise the correctness of the algorithm. Damage containment.The algorithm should contain the damage caused by an incorrectrouter to as small an area of the network as possible. Authentication.The algorithm should conrm that each message is sent from the host orrouter that the message identies as its source. Data integrity.The algorithm should conrm that the contents of received messages arethe same as when they are sent,and that all components of a message are as intended by thealgorithm (even those message portions added by routers other than the original sender).1 Timeliness.The algorithm should conrm that all messages interacting to perform thisalgorithm are current up-to-date messages,thereby preventing replay attacks.We are not explicitly requiring that we also achieve condentiality,since this can easily be achievedby encrypting the sensitive content of a message.For example,message content encryption can beachieved in the application layer or by using services in the IPSec protocol (which does not addressrouting security,just end-to-end message authentication and condentiality).1.2 Prior Related WorkRouting security was rst studied in the seminal work of Perlman [8] (see also [9]),who studiedﬂooding and shortest-path routing algorithms that are resilient to faulty routers.Here schemes arebased on using a public key infrastructure where each router x is given a public key/private keypair and must sign each message that originates from x.Likewise,in her schemes,any router ythat wants to authenticate a message M checks the signature of the router x that originated it.Such a signature-based approach is sucient,for example,to design a secure version of the ﬂoodingalgorithm,which can be further used to design a secure algorithm for the setup phase of link-staterouting.Moreover,as we will show,a signature-based approach can also be used to design a securedistance-vector routing setup algorithm as well.Even so,several researchers have commented that,from a practical point of view,requiring full public-key signatures on all messages is probably notecient.Signing and checking signatures are expensive operations when compared to the simpletable lookups and computations performed in the well-known routing algorithms.Nevertheless,Murphy et al.[7,6] discuss some of the details of a protocol that would implement such a scheme.Likewise,Smith et al.[11] discuss how to extend a signature-based approach to distance-vectoralgorithms.Motivated by the desire to create ecient and secure routing algorithms,several researchershave recently designed routing algorithms that achieve routing security at computational costs thatare argued to be superior to those of Perlman.Given that the signature-based of Perlman is alreadyhighly-secure,this recent research has used fast cryptographic tools,such as hashing,instead ofsignatures on all messages.Nevertheless,since there is a natural trade-o between computationalspeed and security,this research has also involved the introduction of additional assumptions aboutthe network or restrictions on the kinds of network attacks that one is likely to encounter.Thechallenge,then,for this new line of research in routing security is to create practical and securerouting algorithms by introducing natural assumptions on the network and its attackers while alsousing fast cryptographic tools to secure the routing algorithms under these assumptions.Cheung [2] shows how to use hash chaining to secure routing algorithms,assuming that therouters have synchronized clocks.His scheme is not timely,however,as it can only detect attackslong after they have happened.Hauser et al.[4] avoid that defect by using hash chains to insteadreveal the status of specic links in a link-state algorithm.That is,their protocol is limited tosimple yes-no types of messages.In addition,because of the use of hash chains,they require thatthe routers in the network be synchronized.Zhang [14] extends their protocol for more complexmessages,but does so at the expense of many more hash chains,and his protocol still requiressynchronized routers.It is not clear,in fact,whether his scheme would actually be faster than afull-blown digital signature approach,as advocated in the early work of Perlman.As will be the focus in this paper,all of these previous papers focused on the issue of how torobustly perform ﬂooding protocols and set up the routing tables for link-state algorithms.Also ofrelated interest,is work of Bradley et al.[1],who discuss ways of improving the security of packetdelivery after the routing tables have been built.In addition,Wu et al.[13] and Vetter et al.[12]2discuss some practical and empirical issues in securing routing algorithms.Of specic interest intheir work is their observation that a single bad router can adversely aect an entire network foras much as an hour or more.1.3 Our ResultsIn this paper we describe a new approach to securing the setup and ﬂooding stages of routingalgorithms.After a preliminary setup that involves distributing a set of secret keys equal that totalno more than the number of routers,our method uses simple cryptographic hashing of messages(HMACs) to achieve security.Our approach involves the use of a technique we call\leap-frog"message authentication,as it allows parties in a long chain to authenticate messages between everyother member in the chain.Using this approach,we show how to secure ﬂooding,link-state,anddistance-vector algorithms,under the reasonable assumption that no two bad routers are colludingand are within two hops of each other.Such a strategy would even be eective for routing inGnutella networks,which are notoriously insecure but experience few,if any,insider collusionattacks.Our algorithms can also be used in multicast routing,for they allow a router to receivemessages from an untrusted neighbor in such a way that the neighbor cannot modify the messagecontents without being detected.We describe the main details of our leap-frog approach to routersecurity in the sections that follow.2 FloodingWe begin by discussing the ﬂooding protocol and a low-cost way of making it more secure.Ourmethod involves the use of a novel\leap frog"message-authenticating scheme using cryptographichashing.2.1 The Network Framework and the Flooding AlgorithmLet G = (V;E) be a network whose vertices in V are routers and whose edges in E are directconnections between routers.We assume that the routers have some convenient addressing mech-anism that allows us without loss of generality to assume that the routers are numbered 1 to n.Furthermore,we assume that G is biconnected,that is,that it would take at least two routers tofail in order to disconnect the network.This assumption is made both for fault tolerance,as singlepoints of failure should be avoided in computer networks,and also for security reasons,for a routerat an articulation point can fail to route packets from one side of the network to the other withoutthere being any immediate way of discovering this abuse.The ﬂooding algorithm is initiated by some router s creating a message M that it wishes tosend to every other router in G.The typical way the ﬂooding algorithm is implemented is that sincrementally assigns sequence numbers to the messages it sends.So that if the previous messagethat s sent had sequence number j,then the message M is sent with sequence number j +1 andan identication of the message source,that is,as the message (s;j +1;M).Likewise,every routerx in G maintains a table Sxthat stores the largest sequence number encountered so far from eachpossible source router in G.Thus,any time a router x receives a message (s;j + 1;M) from anadjacent router y the router x rst checks if Sx[s] < j +1.If so,then x assigns Sx[s] = j +1 and xsends the message (s;j +1;M) to all of its adjacent routers,except for y.If the test fails,however,then x assumes it has handled this message before and it discards the message.If all routers perform their respective tasks correctly,then the ﬂooding algorithm will send themessage M to all the nodes in G.Indeed,if the communication steps are synchronized and done3in parallel,then the message M propagates out from s is a breadth-rst fashion.If the security of one or more routers is compromised,however,then the ﬂooding algorithm canbe successfully attacked.For example,a router t could spoof the router s and send its own message(s;j +1;M0).If this router reaches a router x before the correct message,then x will propagatethis imposter message and throw away the correct one when it nally arrives.Likewise,a corruptedrouter can modify the message itself,the source identication,and/or the sequence number of thefull message in transit.Each such modication has its own obvious bad eects on the network.Forexample,incrementing the sequence number to j +mfor some large number mwill eectively blockthe next m messages from s.Indeed,such failures have been documented (e.g.,[13,12]),althoughmany such failures can be considered router misconguration not malicious intent.Of course,from the standpoint of the source router s the eect is the same independent of any maliciousintent|all ﬂooding attempts will fail until s completes mattempted ﬂooding messages or s sends asequence number reset command (but note that the existence of unauthenticated reset commandsitself presents the possibility for abuse).2.2 Securing the Flooding Algorithm on General NetworksOn possible way of avoiding the possible failures that compromised or miscongured routers caninﬂict on the ﬂooding algorithm is to take advantage of a public-key infrastructure dened forthe routers.In this case,we would have s digitally sign every ﬂooding message it transmits,andhave every router authenticate a message before sending it on.Unfortunately,this approach iscomputationally expensive.It is particularly expensive for overall network performance,for,as wediscuss later in this paper,ﬂooding is often an important substep in general network administrationand setup tasks.Our scheme is based on a light-weight strategy,which we call the leap-frog strategy.The initialsetup for our scheme involves the use of a public-key infrastructure,but the day-to-day operationof our strategy takes advantage of much faster cryptographic methodologies.Specically,we denefor each router x the set N(x),which contains the vertices (routers) in G that are neighbors of x(which does not include the vertex x itself).That is,N(x) = fy:(x;y) 2 E and y 6= xg:The security of our scheme is derived from a secret key k(x) that is shared by all the vertices inN(x),but not by x itself.This key is created in a setup phase and distributed securely using thepublic-key infrastructure to all the members of N(x).Note,in addition,that y 2 N(x) if and onlyif y 2 N(y).Now,when s wishes to send the message M as a ﬂooding message to a neighboring router,x,itsends (s;j +1;M;h(sjj +1jMjk(x));0),where h is a cryptographic hash function that is collisionresistant (e.g.,see [10].Any router x adjacent to s in G can immediately verify the authenticity ofthis message (except for the value of this application of h),for this message is coming to x alongthe direct connection from s.But nodes at distances greater than 1 from s cannot authenticatethis message so easily when it is coming from a router other than s.Fortunately,the propagationprotocol will allow for all of these routers to authenticate the message froms,under the assumptionthat at most one router is compromised during the computation.Let (s;j +1;M;h1;h2) be the message that is received by a router x on its link from a router y.If y = s,then x is directly connected to s,and h2= 0.But in this case x can directly authenticatethe message,since it came directly from s.In general,for a router x that just received this messagefrom a neighbor y with y 6= s,we inductively assume that h2is the hash value h(sjj +1jMjk(y)).Since x is in N(y),it shares the key k(y) with y's other neighbors;hence,x can authenticate the4message from y by using h2.This authentication is sucient to guarantee correctness,assuming nomore than one router is corrupted at present,even though x has no way of verifying the value of h1.So to continue the propagation assuming that ﬂooding should continue from x,the router x sendsout to each w that is its neighbor the message (s;j +1;M;h(Mjj +1jk(w));h1).Note that thismessage is in the correct format for each such w,for h1should be the hash value h(sjj +1jMjk(x)),which w can immediately verify,since it knows k(x).Note further that,just as in the insecureversion of the ﬂooding algorithm,the rst time a router w receives this message,it can process it,updating the sequence number for s and so on.This simple protocol has a number of performance advantages.First,froma security standpoint,inverting or nding collisions for a cryptographic hash function is computationally dicult.Thus,it is considered infeasible for a router to fake a hash authentication value without knowing theshared key of its neighbors,should it attempt to alter the contents of the message M.Likewise,should a router choose to not send the message,then the message will still arrive,by an alternateroute,since the graph G is biconnected.The message will be correctly processed in this case aswell,since a router is not expecting messages from s to arrive from any particular direction.Thatis,a router x does not have to wait for any other messages or verications before sending in turna message M on to x's neighbors.Another advantage of this protocol is its computational eciency.The only additional workneeded for a router x to complete its processing for a ﬂooding message is for x to perform onehash computation for each of the edges of G that are incident on x.That is,x need only performdegree(x) hash computations,where degree(x) denotes the degree of x.Typically,for communi-cation networks,the degree of a router is kept bounded by a constant.Thus,this work comparesquite favorably in practice to the computations that would be required to verify a full-blown digitalsignature from a message's source.The leap-frog routing process can detect a router malfunction in the ﬂooding algorithm,for anyrouter y that does not follow the protocol will be discovered by one of its neighbors x.Assumingthat x and y do not collude to suppress the discovery of y's mistake in this case,then x can reportto s or even a network administrator that something is potentially wrong with y.For in this case,y has clearly not followed the protocol.In addition,note that this discovery will occur in just onemessage hop from y.2.3 Trading Message Size for Hashing ComputationsIn some contexts it might be too expensive for a router to perform as many hash computations asit has neighbors.Thus,we might wonder whether it is possible to reduce the number of hashesthat an intermediate router needs to do to one.In this subsection we describe how to achieve sucha result,albeit at the expense of increasing the size of the message that is sent to propagate theﬂooding message.Since our method is based on a coloring of the vertices of G,we refer to thisscheme as the chromatic leap-frog approach.In this case,we change the preprocessing step to that of computing a small-sized coloring ofthe vertices in G so that no two nodes are assigned the same color.Algorithms for computing orapproximating such colorings are known for a wide variety of graphs.For example,a tree can becolored with two colors.Such colorings might prove useful in applying our scheme to multicastingalgorithms,since most multicasting communications actually take place in a tree.A planar graphcan be colored with four colors,albeit with some diculty,and coloring a planar graph with vecolors is easy.Finally,it is easy to color a graph that has maximumdegree d using at most d+1 colorsby a straightforward greedy algorithm.This last class of graphs is perhaps the most importantfor general networking applications,as most communications networks bound their degree by a5constant.Let the set of colors used to color G be simply numbered from 1 to c and let us denote with Vithe set of vertices in G that are given color i,for i = 1;2;:::;c,with c  2.As a preprocessingstep,we create a secret key kifor the color i.We do not share this color with the members of Vi,however.Instead,we share kiwith all the vertices that are not assigned color i.When a router s wishes to ﬂood a message M with a new sequence number j +1,in this newsecure scheme,it creates a full message as (s;j + 1;M;h1;h2;:::;hc),where each hi= h(sjj +1jMjki).(As a side note,we observe that the prex of the bit string being hashed repeatedly by sis the same for all hashes,and its hash value in an iterative hashing function need only be computedonce.) There is one problem for s to build this message,however.It does not know the value of ki,where i is the color for s.So,it will set that hash value to 0.Then,s sends this message to eachof its neighbors.Suppose now that a router x receives a message (s;j + 1;M;h1;h2;:::;hc) from its neighbors.In this case x can verify the authenticity of the message immediately,since it is coming alongthe direct link from s.Thus,in this case,x does not need to perform any hash computationsto validate the message.Still,there is one hash entry that is missing in this message (and iscurrently set to zero):namely,hi= 0,where i is the color of s.In this case,the router x computeshj= h(sjj +1jMjkj),since it must necessarily share the value of kj,by the denition of a vertexcoloring.The router x then sends out the (revised) message (s;j +1;M;h1;h2;:::;hc).Suppose then that a router x receives a message (s;j +1;M;h1;h2;:::;hc) from its neighbory 6= s.In this case we can inductively assume that each of the hivalues is dened.Moreover,xcan verify this message by testing if hi= h(sjj +1jMjki),where i is the color for y.If this testsucceeds,then x accepts the message as valid and sends it on to all of its neighbors except y.Inthis case,the message is authenticated,since y could not manufacture the value of hi.If the graph G is biconnected,then even if one router fails to send a message to its neighbors,the ﬂood will still be completed.Even without biconnectivity,if a router modies the contents ofM,the identity of s,or the value of j+1,this alteration will be discovered in one hop.Nevertheless,we cannot immediately implicate a router x if its neighbor y discovers an invalid hivalue,wherei is the color of x.The reason is that another router,w,earlier in the ﬂooding could have simplymodied this hivalue,without changing s,j + 1,or M.Such a modication will of course bediscovered by y,but y cannot know which previous router performed such a modication.Thus,we can detect modications to content in one hop,but we cannot necessarily detect modicationsto hivalues in one hop.Even so,if there is at most one corrupted router in G,then we will discovera message modication if it occurs.If the actual identication of a corrupted router is importantfor a particular application,however,then it might be better to use the non-chromatic leap-frogscheme,since it catches and identies a corrupted router in one hop.3 Setup for Link-State RoutingHaving discussed how to eciently secure the ﬂooding algorithm,let us next turn to a point-to-pointunicast routing algorithm|the link-state algorithm.This algorithm is the basis of the well-knownand highly-used OSPF routing protocol.In this algorithm,we build at each router in a networkG a table,which indicates the distance to every other router in G,together with an indication ofwhich link to follow out of x to traverse the shortest path to another router.That is,we store Dxand Cxat a router x so that Dx[y] is the distance to router y from x and Cx[y] is the link to followfrom x to traverse a shortest path from x to y.These tables are built by a simple setup process,which we can now make secure using the leap-6frog scheme described above.The setup begins by having each router x poll each of its neighbors,y,to determine the state of the link from x to y.This determination assigns a distance weight tothe link from x to y,which can be 0 or 1 if we are interested in simply if the link is up or down,orit can be a numerical score of the current bandwidth or latency of this link.In any case,after eachrouter x has determined the states of all its adjacent links,it ﬂoods the network with a messagethat contains a vector of all the distances it determined to its neighbors.Under our protectedscheme,we now perform this ﬂooding algorithm using the leap-frog or chromatic leap-frog method.Once this computation completes correctly,we compute the vectors Dxand Cxfor each router xby a simple local application of the well-known Dijkstra's shortest path algorithm (e.g.,see [3]).Thus,simply by utilizing a secure ﬂooding algorithm we can secure the setup for the link-staterouting algorithm.Securing the setup for another well-known routing algorithm takes a little moreeort than this,however,as we explore in the next section.4 Setup for Distance-Vector RoutingAnother important routing setup algorithm is the distance-vector algorithm,which is the basisof the well-known RIP protocol.As with the link-state algorithm,the setup for distance-vectoralgorithm creates for each router x in G a vector,Dx,of distances fromx to all other routers,and avector Cx,which indicates which link to follow from x to traverse a shortest path to a given router.Rather than compute these tables all at once,however,the distance vector algorithm producesthem in a series of rounds.4.1 Reviewing the Distance-Vector AlgorithmInitially,each router sets Dx[y] equal to the weight,w(x;y),of the link from x to y,if there is sucha link.If there is no such link,then x sets Dx[y] = +1.In each round each router x sends itsdistance vector to each of its neighbors.Then each router x updates its tables by performing thefollowing computation:for each router y adjacent to x dofor each other router w doif Dx[w] > w(x;y) +Dy[w] thenfIt is faster to rst go to y on the way to w.gSet Dx[w] = w(x;y) +Dy[w]Set Cx[w] = yend ifend forend forIf we examine closely the computation that is performed at a router x,it can be modeled asthat of computing the minimum of a collection of values that are sent to x from adjacent routers(that is,the w(x;y)+Dy[w] values),plus some comparisons,arithmetic,and assignments.Thus,tosecure the distance-vector algorithm,the essential computation is that of verifying that the routerx has correctly computed this minimum value.We shall use again the leap-frog idea to achieve thisgoal.4.2 Securing the Setup for the Distance-Vector AlgorithmSince the main algorithmic portion in testing the correctness of a round of the distance-vectoralgorithm involves validating the computation of a minimum of a collection of values,let us focus7more specically on this problem.Suppose,then,that we have a node x that is adjacent to acollection of nodes y0,y1,:::,yd−1,and each node yisends to x a value ai.The task x is toperform is to computem= mini=0;1;:::;d−1faig;in a way that all the yi's are assured that the computation was done correctly.As in the previoussections,we will assume that at most one router will be corrupted during the computation (but wehave to prevent and/or detect any fallout from this corruption).In this case,the router that weconsider as possibly corrupted is x itself.The neighbors of x must be able therefore to verify everycomputation that x is to perform.To aid in this verication,we assume a preprocessing step hasshared a key k(x) with all d of the neighbors of x,that is,the members of N(x),but is not knownby x.The algorithm that x will use to compute m is the trivial minimum-nding algorithm,where xiteratively computes all the prex minimum valuesmj= mini=0;:::;jfaig;for j = 0;:::;d−1.Thus,the output from this algorithm is simply m= md−1.The secure versionof this algorithm proceeds in four communication rounds:1.Each router yisends its value aito x,as Ai= (ai;h(aijk(x)),for i = 0;1;:::;d −1.2.The router x computes the mivalues and sends the message (mi−1;mi;Ai−1 mod d;Ai+1 mod d)to each yi.The validity of Ai−1 mod dand Ai+1 mod d) is checked by each such yiusing thesecret key k(x).Likewise,each yichecks that mi= minfmi−1;aig.3.If the check succeeds,each router yisends its verication of this computation to x as Bi=(\yes00;i;mi;h(\yes00jmijijk(x))).(For added security yican seed this otherwise short messagewith a random number.)4.The router x sends the message (Bi−1 mod d;Bi+1 mod d) to each yi.Each such yichecks thevalidity of these messages and that they all indicated\yes"as their answer to the check onx's computation.This completes the computation.In essence,the above algorithm is checking each step of x's iterative computation of the mi's.But rather than do this checking sequentially,which would take O(d) rounds,we do this check inparallel,in O(1) rounds.References[1] K.A.Bradley,S.Cheung,N.Puketza,B.Mukherjee,and R.A.Olsson.Detecting disruptiverouters:A distributed network monitoring approach.In IEEE Symposium on Security andPrivacy,pages 115{124,1998.[2] S.Cheung.An ecient message authentication scheme for link state routing.In 13th AnnualComputer Security Applications Conference,pages 90{98,1997.[3] T.H.Cormen,C.E.Leiserson,and R.L.Rivest.Introduction to Algorithms.MIT Press,Cambridge,MA,1990.8[4] R.Hauser,T.Przygienda,and G.Tsudik.Reducing the cost of security in link-state routing.Computer Networks and ISDN Systems,1999.[5] C.Kaufman,R.Perlman,and M.Speciner.Network Security:Private Communication in aPublic World.Prentice-Hall,Englewood Clis,NJ,1995.[6] S.Murphy,M.Badger,and B.Wellington.RFC 2154:OSPF with digital signatures,June1997.Status:EXPERIMENTAL.[7] S.L.Murphy and M.R.Badger.Digital signature protection of OSPF routing protocol.In Proceedings of the 1996 Internet Society Symposium on Network and Distributed SystemSecurity,pages 93{102,1996.[8] R.Perlman.Network Layer Protocol with Byzantine Agreement.PhD thesis,The MIT Press,Oct.1988.LCS TR-429.[9] R.Perlman.Interconnections,Second Edition:Bridges,Routers,Switches,and Internetwork-ing Protocols.Addison-Wesley,Reading,MA,USA,2000.[10] B.Schneier.Applied cryptography:protocols,algorithms,and sourcecode in C.John Wileyand Sons,Inc.,New York,1994.[11] B.R.Smith,S.Murthy,and J.Garcia-Luna-Aceves.Securing distance-vector routing proto-cols.In Symposium on Network and Distributed Systems Security (NDSS'97),1997.[12] B.Vetter,F.-Y.Wang,and S.F.Wu.An experimental study of insider attacks for the OSPFrouting protocol.In 5th IEEE International Conference on Network Protocols,1997.[13] S.F.Wu,F.-Y.Wang,Y.F.Jou,and F.Gong.Intrusion detection for link-state routingprotocols.In IEEE Symposium on Security and Privacy,1997.[14] K.Zhang.Ecient protocols for signing routing messages.In Symposium on Network andDistributed Systems Security (NDSS'98),San Diego,California,1998.Internet Society.9